29
7.1 Rev: 8/15 95-8599 Safety Manual Eagle Quantum Premier ® SIL 2 Rated Fire & Gas System

Eagle Quantum Premier Safety Manual

Embed Size (px)

Citation preview

Page 1: Eagle Quantum Premier Safety Manual

7.1 Rev: 8/15 95-8599

Safety ManualEagle Quantum Premier®

SIL 2 Rated Fire & Gas System

Page 2: Eagle Quantum Premier Safety Manual

Table Of Contents

INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Quality Policy Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Document Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

PRODUCT OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2EQP System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2EQP Safety System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2EQP Safety Controllers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5EQP Safety Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6EQPSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6X3301-SIL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Model PIRECL-SIL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7AIM-SIL Analog Input Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7EDIO-SIL Enhanced Digital Input/Output Module . . . . . . . . . . . . . . 7Power Supplies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8S3 Configuration Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8System Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

PROOF TESTING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11EDIO Input Channel Proof Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11EDIO Output Channel Proof Test . . . . . . . . . . . . . . . . . . . . . . . . . . 11AIM Input Channel Proof Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11X3301 Visual Field Inspection Proof Test . . . . . . . . . . . . . . . . . . . . 11X3301 Magnetic Oi Proof Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12PIRECL Visual Field Inspection Proof Test . . . . . . . . . . . . . . . . . . . 12PIRECL Gas Response Proof Test . . . . . . . . . . . . . . . . . . . . . . . . . 12EQP User Logic Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

INSTALLATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Commissioning Personnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

SUITABLE APPLICATIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12General Application Requirements . . . . . . . . . . . . . . . . . . . . . . . . . 13

APPENDIX A – SUMMARY OF SAFETY RELATED DATA . . . . . . . . . 17

APPENDIX B – EQP CONTROLLER LOGIC GATE TABLE . . . . . . . . . 20

Page 3: Eagle Quantum Premier Safety Manual

NoteWhere a definition of the term or abbreviation is given in IeC 61508-4 “Definit ions and Abbreviations,” the definition from the standard is given first in quotation marks, followed by further explanation if this is necessary.

INTRODUCTION

This Safety Manual describes the actions that must be taken to use the Det-Tronics Eagle Quantum Premier® (EQP) Safety System in safety-related applications.

The actions that are described can be either technical or procedural. For example, a procedural action would be the need to maintain password protection of configuration programs, so that non-approved staff cannot modify these.

This document is limited to those actions that are required to ensure compliance with the relevant safety certifications and standards. Other documents such as Manuals and Data Sheets must be referred to for information outside the scope of this document. These documents can be found on the Det-Tronics website www.det-tronics.com.

The Safety Manual is approved and certified by exida® as part of the overall EQP Safety System. Satisfying the requirements it describes is a necessary part of using the EQP Safety System in safety-related applications.

Failure to complete the actions described in this document would contravene the cer t i f icat ion requirements.

Completing the actions described in this document will only satisfy some of the requirements defined by IEC 61508 for safety-related applications.

It will be necessary to satisfy the full requirements of IEC 61508, and for Process Industry applications, the requirements of IEC 61511, in order to use the Det-Tronics EQP Safety System in safety-related applications.

Further, it is the responsibility of the user to ensure that the EQP Safety System is suitable for the chosen application and complies with the appropriate application standards.

QUALITY POLICY STATEMENT

All quality assurance control measures necessary for safety management as specified in IEC 61508 Part 1 have been implemented. The quality management system of Det-Tronics is based on the requirements of EN ISO 9001 and ANSI/ASQC Q9001 through the application of the United Technologies Company Achieving Competitive Excellence (ACE) program. In addition, the Quality Management System complies with the European ATEX Directive requirements per EN 13980, the International Electrotechnical Commission requirements per OD005/V2, and the supervised testing requirements per ISO 17025.

SCOPE

The Det-Tronics EQP Safety System is intended for use as part of a programmable electronic system as defined by IEC 61508. It is suitable for low demand safety functions up to safety integrity level 2 (SIL 2).

The safety critical functions for the EQP Safety System include the following:

– Fire input from X3301 and/or EDIO and/or AIM

– Gas alarm from PIRECL and/or EDIO and/or AIM

– Annunciation/Release from EDIO

– System logic for processing and mapping inputs and outputs.

SAfETY MANUAL

Eagle Quantum Premier®

SIL 2 Rated Fire & Gas System

7.1 ©Detector Electronics Corporation 2015 Rev: 8/15 95-8599

Page 4: Eagle Quantum Premier Safety Manual

7.1 95-85992

The safety related functions of the EQP Safety System include the following:

– Trouble annunciation for compromised safety function by de-energizing the Controller’s Trouble relay

– Digital input for lockout of inhibits.

The EQP Safety System employs a 1oo1D (i.e. 1 out of 1 with diagnostics) architecture to achieve SIL 2. EQP Safety Controllers may be used in redundant mode to increase system availability, but this is not required for the safety-related performance of the system.

Configuring and programming the EQP Safety System must be via a software program known as Safety System Software (S3).

In addition to completing the actions specifically related to the EQP Safety System, it is necessary to satisfy the wider requirements of IEC 61508. This includes such elements within the framework of the safety lifecycle, such as hazard and risk analysis and defining the safety instrumented function. This work must be carried out through appropriate and competent Safety Management procedures and staff.

DOCUMENT STRUCTURE

This Safety Manual describes the actions that must be taken to use the Det-Tronics EQP Safety System in safety-related applications. The main sections are as follows:

Introduction

Product Overview gives an overview of the Det-Tronics product range in general and the EQP Safety products in particular.

Proof Testing describes the proof testing that is necessary.

Suitable Applications describes the use of the Det-Tronics EQP Safety System in practical applications. Included are failure rate data and PFDavg calculations.

Appendix A provides a summary of the essential data for safety applications for the Det-Tronics EQP Safety System.

Appendix B gives logic instructions and their restrictions for low demand SIL 2 applications.

PRODUCT OVERVIEW

EQP SYSTEM

The EQP System (on which the Det-Tronics EQP Safety System is based) was originally developed to meet the requirements of industrial fire and gas detection and mitigation. The system comprises (see Figure 1):

•Input/outputmodules

•Fielddevicesforfireandgasdetection

•Controllerswhichcanbeprogrammedtocarryoutthecontrol of the fire and gas system

•Powersuppliesandothermiscellaneoushardware

•S3 software which is used to configure the system and to generate the logic programs which will be run by the Controllers

•A proprietary protocol known as Eagle QuantumPremier Safety Loop (EQPSL), which provides communication between field devices and the Controllers.

NoteFor additional information regarding set-up and installation of the eQP system, refer to the eQP system manual, form number 95-8533.

EQP SAfETY SYSTEM

The Det-Tronics EQP Safety System uses the following specifically developed components (see Figure 2):

•EQ3XXX–EQPController

•EQ3730EDIO – Enhanced Discrete Input/Output(EDIO) Module

•EQ3710AIM–AnalogInputModule

•X3301–MultispectrumIRFlameDetector

•PIRECL–InfraredGasDetector

The data required to establish the suitability of the EQP Safety System for safety-related applications is given in Appendix A of this Safety Manual.

EQP Safety System components and standard components can be used together. The non-safety certified components are classed as non-interfering. A list of all the devices available for the EQP system is maintained at www.det-tronics.com and is shown below.

Page 5: Eagle Quantum Premier Safety Manual

7.1 95-85993

Non-Interfering Modules

•EQ2400NE–NetworkExtender

•EQ2400PLR–PhysicalLayerRepeater

•EQ3LTM LON Termination Module (RedundantControllers Only)

•008981-001ControllertoControllerHighSpeedSerialCable (Redundant Controllers Only)

•EQPSLNetworkCables–Refertocablespecificationinformation in the EQP system manual (form 95-8533).

•EQ3700DCIO–DiscreteInput/OutputModule

•EQ3720RM–RelayModule

•EQ3750–AddressableSmokeandHeatModule

•X2200UV–UltravioletFlameDetector

•X5200UVIR–Ultraviolet/InfraredFlameDetector

•X9800IR–InfraredFlameDetector

•EQ2200UV–UltravioletFlameDetector

•EQ2200UVHT –High TemperatureUltraviolet FlameDetector

•EQ2200UVIR–Ultraviolet/InfraredFlameDetector

•EQ2200DCU–DigitalCommunicationUnit

•EQ2200DCUEX–DiscreteControlUnitwithCatalyticGas Sensor

•EQ2200IDC–InitiatingDeviceCircuit

•EQ2200IDCSC–InitiatingDeviceCircuitShortCircuit

•EQ2500ARM–AgentReleaseModule

•EQ2500SAM–SignalAudibleModule

•EQ2100PSM–PowerSupplyMonitor

•EQ2220GFM–GroundFaultMonitor

•008056-001–HARTInterfaceModule

•OPECL–OpenPathEclipseGasDetector

•FlexVuUD10UniversalDisplayModule

Non-Interfering Interfaces

•ControlNet

•EthernetInterfaceBoard

•EtherNet/IP™DeviceLevelRing(DLR)InterfaceBoard

•SerialInterfaceBoard

Configuration Software

•Det-TronicsSafetySystemSoftware(S3)

Links to 3rd-Party Control System or PLC Interface to ControlNet and Modbus

Multispectrum IR 2. Hydrogen Flame Detector

Single Frequency IR 3. Hydrocarbon Flame Detector

UV/IR Hydrocarbon Flame Detector4. UV Flame Detector5.

Toxic Gas Detector with Display6.

7. H2S Gas Sensor with Display

Hydrocarbon Combustible 8. Gas Detector with Display

Combustible Gas Open Path Detector9.

Hydrocarbon Combustible 10. Gas Detector

Combustible Gas Detector11.

Discrete Inputs and Outputs Module12.

Single-Fire-Hazard Supression Module13.

Operator Station 15. and Software

Redundant Safety System Controllers16.

Analog (4-20 mA) Input Module17.

Relay Output Module18.

Signal Audible Module19.

Explosion-Proof 20. Camera

Surveillance Digital Video 21. Recorder and Remote Station

Local Operating Network/14. Signaling Line Circuit

Multispectrum IR 1. Hydrocarbon Flame Detector

Flame Detector with 22. Explosion-Proof Camera

Figure 1—Components of a Det-Tronics EQP System

Page 6: Eagle Quantum Premier Safety Manual

7.1 95-85994

EQP Safety System Component Overview

Figure 2 gives an overview of the role that each element of the EQP Safety System has in implementing the safety function.

Safety Certified Product Identification

All safety certified EQP System modules are clearly identified as such on the product label.

D2343

EQP SAFETY CONTROLLER – RUNS THE SAFETY APPLICATION PROGRAM AND CARRIES OUT DIAGNOSTIC CHECKS TO ENSURE IT IS OPERATING CORRECTLY. IF A FAULT IS DETECTED, IT WILL BE INDICATED BY DE-ENERGIZING THETROUBLE RELAY.

EDIO SAFETY MODULE CONFIGURED FOR DIGITAL INPUTS. MONITORS THE INPUTS AND ALSO CHECKS FOR LINE FAULTS. INTERNAL DIAGNOSTICS CHECK THAT THE MODULE IS OPERATING CORRECTLY.

AIM SAFETY MODULE MONITORS 4-20 mA ANALOG INPUTS. INTERNAL DIAGNOSTICS CHECK THAT THE MODULE IS OPERATING CORRECTLY.

EDIO SAFETY MODULE CONFIGURED FOR DIGITAL OUTPUTS. OBEYS COMMANDS TO SET THE OUTPUTS SENT BY THE CONTROLLER. INTERNAL DIAGNOSTICS CHECK THAT THE MODULE IS OPERATING CORRECTLY. IF A FAULT IS DETECTED, OUTPUTS WILL BE SET TO THEIR SAFE STATE OF HOLD LAST STATE.

X3301 IS A SINGLE INPUT MULTISPECTRUM IR FLAME DETECTOR.

MODEL PIRECL IS A SINGLE INPUTIR COMBUSTIBLE GAS DETECTOR .

NOTE: DEVICES ARE SUITABLE IN LOW DEMAND SIL 2 SAFETY INSTRUMENTED SYSTEMS.

Figure 2—Det-Tronics EQP Safety System Component Overview

Page 7: Eagle Quantum Premier Safety Manual

7.1 95-85995

EQP SAfETY CONTROLLERS

The EQP Safety Controllers share a common hardware and software platform with standard EQP Controllers. The SIL rated version of the Controller conducts additional diagnostic checks and annunciates additional fault conditions.

Safety compliance is assured by additional diagnostics, which detect failures and take appropriate action should errors be detected.

If the EQP Safety Controller detects a “dangerous” fault in itself (i.e. one that would prevent the EQP Safety System from carrying out its safety function) it will de-energize the trouble relay. The fault causing the Controller’s trouble relay to de-energize must be investigated and corrected within the time period determined by SIF verification calculations for the particular application.

Run Mode

Run Mode is the state in which the Det-Tronics EQP Safety System is acting as a safety-related system and carrying out its safety function. When the system is in this state, it is not possible to make modifications to configuration parameters or control logic.

Program Mode

The system enters Program Mode when configuration parameters are downloaded to the system. The Controller trouble relay is de-energized while in this mode as an indication. When the EQP System is in Program Mode, the user is responsible for maintaining a safe state.

NoteWhen there is a change of configuration, the user is required to perform a validation test of the change.

Safe and Non-interfering Data

An EQP application program can read data from safety-related and non-interfering sources. Data from non-interfering sources must not be used in logic to block or disable safety-related signals in the safety loop. For example, data coming into the system from a non-interfering field device should not be used to block or disable an alarm output, but It could be used to activate a common alarm used by safety-related logic.

Communication with Remote Modbus Devices

EQP Safety Controllers can read or write data to Remote Modbus devices. Any data read from such devices is not safety-related and shall not be used to block or disable safety-related logic.

EQP Controller Inhibit Lockout

Device inhibits allow input and output signals to be blocked to allow the user to perform maintenance and testing without affecting system outputs. Example: If a flame detector is inhibited, a flame can be presented to the detector and the fire alarm will not be registered by the controller. Subsequently, no action will be performed by the controller. Therefore inhibits are classified as a safety related issue. If a device is inhibited, it will no longer perform its safety function. For this reason, there is a global inhibit lockout feature.

Input channel four of the safety controller is designated as the inhibit lockout channel. The channel must be configured as “Inhibit Enabled” via the EQP controller configuration screen in the S3 software. A normally open switch must be wired to channel four to perform the inhibit enable function. When the switch is open, changes are not allowed. When the switch is closed, inhibits can be controlled from the controller via user configured logic or from the individual device point displays on the S3 software.

When the inhibit lockout switch changes state, it is logged in the EQP controller. Additionally, individual devices are logged when they are put into or taken out of the inhibit state.

It is the user’s responsibility to create and enforce an appropriate lockout policy for the site.

Page 8: Eagle Quantum Premier Safety Manual

7.1 95-85996

EQP Safety Controller Diagnostic Checks

The EQP Safety Controller automatically carries out a number of diagnostic checks on a continuous basis. A number of other diagnostic tests are also conducted to ensure the integrity of the EQPSL communication network and proper operation of the user’s logic program.

All checks conducted by the Controller are completed at least once an hour. This period is called the diagnostic test interval.

Noteother devices have different diagnostic test intervals. See eQP Safety Device Diagnostics. Be sure to account for this in calculations.

The certifying authority that has granted the Det-Tronics EQP Safety System approval for use in low demand SIL 2 safety-related applications has confirmed the completeness of the diagnostic tests. The user program requires no additional on-line diagnostic tests. Proof testing, which is the responsibility of the user, is discussed in the “Proof Testing” section of this manual.

Redundant EQP Safety Controllers

Using Det-Tronics EQP Safety Controllers in redundant mode will increase their availability, but will have no effect on their ability to perform a safety-related function. The redundant controller system is certified for use as part of a SIL 2 system.

When a second Controller is added for redundancy, the firmware versions must match. Controllers configured for redundant operation operate in either Master or Standby mode. Refer to the EQP system manual (number 95-8533) for more details regarding controller redundancy set-up.

NoteBoth the master and standby controllers must be SIL rated models. If a SIL rated controller is paired with a standard controller model, a redundancy fault will be indicated.

EQP SAfETY DEVICES

EQP Safety rated field devices share many of the same attributes as standard EQP devices. They have the same physical form factor and are connected to the system in the samemanner as standarddevices. However, SILversions of field devices are not directly interchangeable with the standard versions. Each version has a unique ID. Each field device must be configured for the proper type of device or a trouble is annunciated. SIL rated devices differ from the standard modules in that they perform additional software diagnostic checks specifically designed for safety-related applications. SIL rated Controllers and EDIOs have red labels for easy identification. A mixture of SIL and non-SIL rated field devices can be used on the system at the same time, however, non-SIL rated devices shall not block or inhibit the safety function in user logic.

Self-detected failures of the diagnostics will result in a fault state where the condition is reported to the controller and annunciated to the user. Depending on the type of fault, the field device may restart and attempt to re-establish communication with the controller.

EQPSL

The EQP controller and associated field devices are connected via the EQPSL communication loop. Only EQP system approved devices can be connected to EQPSL network (closed network). Devices from other manufacturers shall not be connected to the EQPSL. Special test pattern messages are periodically sent end to end on the EQPSL to detect faults in the transceivers and memory buffers.

Extensive diagnostics are implemented in the EQPSL to detect degraded conditions and ensure that reliable communications are available when needed to respond to a demand. This is especially important as Fire and Gas systems are traditionally energize to trip and it is, therefore, unacceptable for them to trip based on loss of power or network communications.

The EQPSL physical network topology is limited to a single loop which starts and ends at the Controller. The system is automatically configured to utilize less than 50% of the available bandwidth in normal operation. The additional bandwidth may be utilized by the system in transient situations involving heavy message traffic. Safety communications were evaluated in terms of probability of failure on demand consistent with an IEC 61508 low demand application.

Page 9: Eagle Quantum Premier Safety Manual

7.1 95-85997

EQP Safety Device Diagnostics

The EQP Safety devices (EDIO/AIM/X3301/Eclipse) automatically carry out a number of diagnostic checks on a continuous basis. All checks are completed at least once every two hours (diagnostic test interval).

Failure of any field device diagnostic will cause the trouble relay on the Controller to open. It is the user’s responsibility to determine what course of action is appropriate for their situation when the Controller’s trouble relay opens.

The internal diagnostic tests carried out by EQP Safety devices are sufficient to meet the requirements for use in a low demand SIL 2 safety function. Proof testing, which is the responsibility of the user, is discussed in the “Proof Testing” section of this manual.

X3301-SIL

The SIL EQP Model X3301 flame detectors are configured with the use of S3 software and the device is safety rated at all available sensitivity settings. The fire alarm status should be used as the safety input signal for user logic. System “Proof Testing” should be conducted after any change in configuration is made.

NoteRefer to the X3301 Safety Manual (number 95-8582) for speci f ic requi rements and recommendations applicable to the proper installation, operation, and maintenance of all SIL-Certified X3301 IR flame detectors.

MODEL PIRECL-SIL

The SIL EQP Model PIRECL combustible gas detectors are configured via S3 software and the device is safety rated.Highandlowalarmstatusshouldbeusedasthesafety input signal for user logic. The floating point gas concentration value is available for information, but is not safety rated and should not be used as part of the safety function. System “Proof Testing” should be conducted after any change in configuration is made.

NoteRefer to the Model PIReCL Safety Manual (number 95-8630) for specific requirements and recommendations applicable to the proper installation, operation, and maintenance of all SIL-Certified PIReCL IR gas detectors.

AIM-SIL ANALOg INPUT MODULE

The SIL AIM module is configured via S3 software and thedevice is safety rated. High and lowalarm statusshould be used as the safety input signal for user logic.

The SIL AIM module provides eight channels of configurable analog input. The AIM Module is specially designed to meet the requirements of IEC 61508 and expands the input capability of the Det-Tronics Eagle Quantum Premier System.

Each channel of the AIM safety module is an input that can accept analog devices such as gas detectors. It is the responsibility of the user to select suitable SIL rated devices to connect to the AIM.

The EQP Controller continuously monitors the status of the AIM. Input channels are supervised for out of range signals.

Input Range and Configuration

The user shall enable out-of-range checking, with the out-of-range low value configured to be at least 1mA, and the out-of-range high value to be less than 24mA and less than or equal to the connected device maximum output minus safety accuracy.

All AIM channels intended for use must be configured and downloaded from the EQP controller, otherwise they will be ignored.

For complete information regarding system overview, installation, operation, specifications, and configuration of the AIM Analog Input Module, refer to the AIM Module specification data sheet 90-1183 and/or the EQP instruction manual number 95-8533.

EDIO-SIL ENhANCED DIgITAL INPUT/OUTPUT MODULE

The SIL EDIO module provides eight channels of configurable digital input or output. The EDIO Module is specially designed to meet the requirements of IEC 61508 and expands the input and output capability of the Det-Tronics Eagle Quantum Premier System. The EQP Controller continuously monitors the status of the EDIO and controls the outputs with EQPSL communications.

Each channel of the EDIO safety module can be configured as an input to accept fire detection devices such as manual alarm stations, or as an output for signaling or releasing. Both input and output circuitscan be configured for supervised (line monitoring) or unsupervised operation. Channels are only SIL rated when configured for the supervised mode of operation. Unsupervised channels can be used for non-safety related uses and are considered non-interfering. It is the responsibility of the user to select suitable SIL rated I/O devices to connect to the EDIO.

Page 10: Eagle Quantum Premier Safety Manual

7.1 95-85998

This table indicates which EDIO channel configurations are IEC 61508 SIL rated.

Definition SIL Rated

Unsupervised Input NoUnsupervised Output NoSmoke Detector NoClass A Output YesClass A Input YesSolenoid Output YesClass A Solenoid Output YesClass A Smoke Detector Input NoClassBOutputwithMonitoring YesClassBInputwithMonitoring Yes

Detailed information regarding the use of the EQP EDIO Safety Module is given in the appropriate data sheets and user documentation (EQP instruction manual number 95-8533). The information given here only refers to the safety-related aspects of the module.

Outputs from the EQP Safety EDIO Module are normally de-energized and are energized on command by the Controller (for example to release an extinguishant by opening a normally closed solenoid valve). Outputs will hold last state on loss of communication with the controller.

Det-Tronics S3 Safety System Software is used for device configuration.

EDIO Digital Input ChannelA change in input state is only recognized if the new input state is held for a finite time interval to ensure that noise is not incorrectly interpreted as a change in the input state. The input must be active for at least 750 milliseconds in order to be recognized.

For descriptions and examples of how to provide open, and open/short circuit monitoring, and Class A or Class BwiringonEDIO inputs, refer to theInstallationsectionof the EQP Instruction Manual, 95-8533. Refer to Appendix A for the different lDU values for open versus open and short circuit monitoring.

EDIO Digital Output Channel

The EDIO output channel is normally de-energized and must employ line supervision to be safety rated.

For descriptions and examples of how to provide open, and open/short circuit monitoring, and Class A or ClassBwiringonEDIOoutputs, refer to the Installationsection of the EQP Instruction Manual, 95-8533. Refer to Appendix A for the lDU value for open and open and short circuit monitoring.

POWER SUPPLIES

The power supply selected must provide over-voltage protection to the EQP System. The over-voltage protection must be set for a maximum of 33 Vdc.

The EQP Safety System is NFPA-72 certified for use with Det-Tronics EQP Power Supplies, power supply monitoring, and ground fault monitoring.

Redundant power supplies can be implemented by “pairing” supplies. This is not required for the certified safety integrity level, but will improve availability.

The EQPSL devices must be operated between 18 and 30 Vdc. A 10% overvoltage will not damage the devices.

S3 CONfIgURATION SOfTWARE

S3 Software is an engineering tool for configuring parameters and writing control programs (known as Projects) that are downloaded to EQP Controllers. The creation of the Project is the responsibility of the user and must conform with the restrictions in this manual.

This Section describes the features of S3 Software applicable to the EQP Safety System. More general information regarding the operation and use of S3 can be found in the S3 manual (number 95-8560).

A summary of S3 Software features specific to its use with EQP Safety Systems is given below.

•Only input data from safety approved field devices(X3301-SIL/Eclipse-SIL/EDIO-SIL/AIM-SIL) can be used as safety data in EQP Safety Logic.

•Safety-related inputs and outputs are colored red todistinguish them from non-safety related I/O.

•Userfunctionblocksthataresuitableforsafety-relateddata are colored red to distinguish them from functions that are not suitable for safety-related data.

•Floatingpointvaluesarenotsafetyratedandmustnotbe used in the safety-related logic.

•Numeric calculations are not error checked for overflow or underflow and the results of such calculations are not defined. It is the user’s responsibility to bound inputs so such a condition cannot happen.

•Change control logging and event recording areavailable within S3 and EQP Safety Controllers.

•Operations over the Ethernet Interface Board arecontrollable through use of the S3 Download/Write Enable parameter on the EQP Controller Editor screen.

While S3 is acceptable for configuring a low demand SIL 2 EQP System, it shall not be part of the safety function.

Page 11: Eagle Quantum Premier Safety Manual

7.1 95-85999

S3 Password Protection

The user must define what measures are to be applied to protect against project changes. S3 provides safeguards described in the following paragraphs.

Access to the S3 software program is restricted by password protection. Passwords can be changed at any time by the user with correct privileges.

S3 supports up to 63 unique user accounts, each capable of having a different password and access privileges. These user accounts are controlled by the S3 system administrator.

Configuring User Accounts

There are five parameters that are used to configure the users account.

User Level

A user level between 0 and 65535 is used to determine what a user can do. Each command or button that a user can interact with in S3 has a user level assigned to it. The higher the number, the higher the “privileges” for that user. A user level of “0” would allow “browsing” only with no command capability.

Configure System Enabled

When selected, this option allows the user access to the engineering and configuration aspects of the S3 software suite. This includes the ability to make, move, configure and delete ports and the ability to create or modify points like fire detectors, gas detectors, analog transmitters, digital inputs, etc. attached to one or more of the available ports.

Quit “Online” Operations Enabled

When selected, the user is able to quit online operations and return to the S3 main screen for access to the various engineering and maintenance utilities.

Port Diagnostics Viewing Enabled

When selected, when online the user can access the port diagnostics screen. This screen allows the user to view details about the operation of all active communication ports, whether serial or ethernet. This would typically be used by a technician responsible for troubleshooting connectivity between the S3 station and any attached systems.

Restricted Access Enabled

This feature is intended to give limited access of the EQP port configurations for viewing and documentation purposes.

User accounts can be created with only the “restricted access” checkbox selected, or combined with the other checkboxes — configure system, quit online, port diagnostics.

S3 Change Control Log

S3 maintains a Configuration Log that records changes in the master project file. The log can be viewed from S3.

A record is made in the Configuration Log when:

•IOModulesareadded,deleted,ormoved

•Tagsareaddedto,removedfrom,ormovedwithinanIO Module

•IOConfigurationparametersaresaved

•Externalnodenumbersareenteredormodified

•Serial communications parameters are entered ormodified

•AsuccessfuldownloadismadetoaController

•Aprojectisremoved.

S3 function Block Logic

The S3 software allows users to customize application software with the use of function block logic. For SIL certified systems, SIL rated function blocks must be used to comply with the SIL-2 certification.

The SIL rated function blocks and associated input and output links are color coded red to help the user identify quickly if there are any non-compliant blocks. Refer to AppendixBforalistofavailablefunctionblocks.

Clearly separate safety-related function logic from non-interfering logic. Place all safety functions on their own logic pages, and place all non-interfering functions on their own logic pages.

NoteIt is the user’s responsibility to test, verify and validate all safety related custom logic for conformance to the code.

Page 12: Eagle Quantum Premier Safety Manual

7.1 95-859910

SYSTEM SECURITY

A threat analysis for the EQP System was conducted identifying issues that the customer needs to address to maintain information assurance.

Ethernet access to the EQP system enables outside users to access the Safety Instrumented System through a widely available physical layer. Allowing external access to S3 via open loop systems such as the Internet jeopardizes the Safety Integrity Level of a safety instrumented system using EQP.

The customer is responsible for protecting the EQP system from unauthorized access. Unauthorized access could result in modifications to system parameters, especially during project downloads, oi fire tests, and inhibit commands. Adverse events that could occur as a result of unauthorized access include:

•Inhibitingalarmsduringhazardousconditions

•Falsealarms

•Tamperingwithlogs

•Collectingdataonsystemperformance.

The security features of EQP provide a basic layer of protection against unauthorized access.

Two actions are required to manage the security state:

1. The S3 Download/Write Enable parameter must be leftatDISABLED.

NoteIf the Write enable parameter is set for eNABLeD, the eQP system can be safe from malware only if it is installed on a network that is physically separate from any other networks.

2. The ENTER button on the Controller faceplate must be depressed to allow downloads to the Controller. Once depressed, the controller will enable external access for five minutes, thereby allowing parameter modifications to be made. Once a download has begun, it will continue until completed.

Access Control

The previous section explained how S3 provides the ability to control access to the EQP system by configuring user accounts. It is the responsibility of the customer to ensure proper access control of the Safety Instrumented System. The restricted access enabled check box allows S3 to be used with the SIL-capable EQP when checked. This discretionary access control (DAC) limits access between users and the SIS based on identity of the user and, potentially, the groups in which the user belongs. The following identity-based access must be considered when configuring user accounts:

Configuration Inhibit Diagnostics Silence

Administrator X X X X

Maintainer X X X

Operator X

ENTER BUTTON

Location of ENTER Button on EQP Controller Faceplate

Page 13: Eagle Quantum Premier Safety Manual

7.1 95-859911

PROOF TESTING

After installation and start-up have been completed, Proof Tests must be performed for the Det-Tronics EQP Safety System.

Personnel performing Proof Test procedures must be competent to perform the task. All Proof Test results must be recorded, analyzed, and any errors in the safety functionality must be corrected. The Proof Tests must be performed at a frequency as shown in the following table.

WARNINGto prevent undesired actuation of alarm equipment, systems or signaling devices, be sure to secure these devices prior to performing the test.

WARNINGFailure to perform the specified testing and inspection may lower or void the SIL rating for the product or system.

EDIO INPUT ChANNEL PROOf TEST

Tools Required: None

Initiate the input channel via the connected contact closure device. Verify correct operation at the EDIO by the local channel LED turning red. If the input is classified as a flame or gas device, verify correct alarm display at the EQP controller.

EDIO OUTPUT ChANNEL PROOf TEST

Tools Required: None

Initiate the EDIO output channel by the user logic or activate the associated input devices (EDIO input, flame detectors, gas detectors, etc.). Verify correct operation at the EDIO by the local channel LED turning red. Verify that the end device connected to the EDIO channel is activated.

AIM INPUT ChANNEL PROOf TEST

Tools Required: None

1. Bypass the safety function and take appropriateaction to avoid a false trip.

2. Retrieve any diagnostics via the EQP controller and take appropriate action.

3. Using theconnected4-20mAdevice, input a highalarm current level to each configured channel and verify correct operation at the AIM by the local channel LED turning red on that channel and no others. Verify that the correct alarm is displayed at the EQP controller for that channel and no others.

4. Using the connected 4-20 mA device, input anunder-current level to each configured channel and verify correct operation at the AIM by the local channel LED turning amber on that channel and no others. Verify that an under-current condition is correctly displayed at the EQP controller for that channel and no others.

5. Remove the bypass and otherwise restore normal operation.

X3301 VISUAL fIELD INSPECTION PROOf TEST

Visual inspection of all Safety-Certif ied X3301 Multispectrum IR Flame Detectors shall be conducted as needed to confirm that there are no obstructions in the optical field of view. Corrective action will include removal of such impediments should they exist.

Proof Test Name Commissioning frequency per Year

EDIO Input Channel Proof Test Yes 1

EDIO Output Channel Proof Test Yes 1

AIM Input Channel Proof Test Yes 1

X3301 Visual Field Inspection Proof Test Yes As needed, depending on level and type of contaminants present

X3301 Mag oi Proof Test Yes 1

PIRECL Visual Field Inspection Proof Test Yes As needed, depending on level and type of contaminants present

PIRECL Gas Response Proof Test Yes 1

EQP User Logic Verification Yes —

Page 14: Eagle Quantum Premier Safety Manual

7.1 95-859912

X3301 MAgNETIC Oi PROOf TEST

Tools Required:

•Magneticoitesttool(partnumber102740-002)

All flame detectors must be performance tested using the Magnetic oi Procedure and inspected to ensure that they are capable of providing expected performance and protection. Note that the Magnetic oi Procedure and Manual oi Tests are not interference free. During these tests the unit is not performing normal flame detection functions. Model X3301 provides an onboard status LED, which indicates Green color when internal operational parameters are normal. Upon successful completion of the Magnetic oi test, the LED changes to a Red color and an alarm status is sent to the EQP controller. In the event the proof test is unsuccessful, the LED remains Green and the controller does not indicate a fire alarm.

PIRECL VISUAL fIELD INSPECTION PROOf TEST

Tools Required: None

Visual inspection of all Safety-Certified PIRECL Gas Detectors shall be conducted weekly to confirm that no external blockage of gas/vapor path into the sensing chamber exists, e.g. debris, trash, snow, mud, external equipment, etc. Corrective action shall include removal of such impediments should they exist. All gas detectors must be inspected to ensure that they are capable of providing expected performance and protection. Model PIRECL provides an onboard status LED that indicates Green color upon inspection when internal operational parameters are normal. Abnormal operating parameters are indicated by Yellow color (Fault) or Red color (Alarm).

PIRECL gAS RESPONSE PROOf TEST

Tools Required:

•Calibration Gas Kit (part number 006468-001)available from Det-Tronics

This proof test, commonly referred to as a “gas bump test”, requires application of high accuracy compressed calibration gas to the detector while in NORMAL operational mode and inspecting the signal output level to ensure that the signal output is accurately indicative of the applied test gas concentration.

When test gas is flowing into the detector, inspection of proper gas response can be made by reading the output displayed on the controller. Criteria for inspection pass is a response signal within ±3% of applied gas concentration (50% LEL test concentration applied). If response test is not within acceptable limits, then a Full Calibration procedure must be performed and Gas Response Proof Test re-performed.

EQP USER LOgIC VERIfICATION

All user Safety Logic needs to be fully tested and verified using the safety inputs and outputs. This is a commissioning activity, however, if logic is modified in the future, proof testing must be repeated. If the Controller is replaced, project information must be loaded into the new Controller and verified. The CRC of project related data is calculated and saved by the controller after each project download. The project CRC can be viewed on the Controller’s display under User Logic/General Info/Logic CRC. The project CRC should be recorded and saved when proof testing is completed. The project CRC from the Controller must be compared to the saved value when a Controller is replaced to avoid complete proof testing of the system.

INSTALLATION

General installation instructions are found in the instruction manual for the EQP system, form number 95-8533.

Like other Det-Tronics EQP products, the ingress protection rating of the EQP Safety Controller, EDIO, and AIM is IP20. It will be necessary to mount the EQP Safety Controller, EDIO, and AIM in a suitable enclosure to provide mechanical and ingress protection appropriate to the particular application. X3301 is IP66 minimum and PIRECL is IP67 minimum.

Access can be restricted by mounting the EQP controller in a locked enclosure.

COMMISSIONINg PERSONNEL

The Safety Certified EQP System can be commissioned by any qualified person with knowledge of EQP System instruments and the configuration device being used.

SUITABLE APPLICATIONS

The EQP Safety System can be used to provide safety functions up to Safety Integrity Level 2 (SIL 2). It can be used in low demand applications only.

Typical low demand applications are:

•FireandGasprotectionsystems,whichmonitorforthepresence of fire or a release of gas, and annunciate/release when demanded upon.

In this case, the process safety time must be greater than the response time of the EQP Safety System.

Page 15: Eagle Quantum Premier Safety Manual

7.1 95-859913

gENERAL APPLICATION REQUIREMENTS

System Application Restrictions

The following application level restrictions have been assumed:

•TheEQP system is only used for safety applicationsthat are low demand according to IEC 61508 definitions.

•Only Det-Tronics EQP system devices may beconnected to EQPSL network (closed network).

•PhysicalEQPSLnetworktopologyislimitedtoasingleloop.

•Indicationofdegradedconditions throughopeningofthe EQP controller’s fault relay must be investigated and the conditions corrected within time period determined by SIF verification calculations for the particular application.

•Periodic proof testing of trip signals throughEQPSL network at least once per 5 years (1 year recommended).

•Periodicprooftestofinputsensorsatleastonceper3years (1 year recommended).

•Productlifelimitedto20years.

•TheEQPSystemisoperatedwithintheenvironmentalconditions described in the Specifications section of EQP Instruction Manual (number 95-8533).

Application Standards

The EQP Safety System is certified to meet the requirements of a number of application standards that are listed in this Safety Manual and on the exida® certificate. Users must ensure that they comply with all the requirements of the standard, not just those that apply to the EQP Safety System.

Operator Interface

The EQP Safety System may be connected to an operator interface, matrix panels, mimic panels and switches.

These interfaces allow the operator to monitor the operation of the system and diagnose system faults.

The EQP Safety System will allow detected faults (from line supervision monitoring, internal diagnostics etc.) to be displayed or indicated.

S3 Safety System Software

Programming, downloading safety-related parameters and programs and switching between operating states is carried out via an engineering workstation using S3 Software.

Access to the Programming Interface shall only be permit ted for authorized and suitably qualified personnel. Access must be restricted by the use of passwords (and the options to do this are provided for within S3 Software) and/or some other forms of restricting access.

The Programming Interface may be used as the Operator Interface, but use of the Programming Interface must be restricted to authorized and qualified personnel.

Instructions for using S3 and typical application examples are provided in the S3 Instruction Manual (number 95-8560).

hardware fault Tolerance, Safe failure fraction and Sub-System Type

The EQP Safety System is a Type B system, with ahardware fault tolerance of 0 and a safe failure fraction of >90%. It is, therefore, suitable for use in safety functions requiring a safety integrity level of 2.

Calculating PfD for Low Demand Applications

This Section gives a basic introduction to calculating the average probability of failure on demand (PFDavg) for a safety function incorporating the EQP Safety System.

For the purpose of this example, the following assumptions have been made:

•AllcomponentsarecertifiedassuitableforuseinSIL2 safety-related applications.

•Allelementsareusedin1oo1arrangements.

•AnyMeanTimeToRestore(MTTR)lessthan48hoursis negligible.

•TheapproximationPFDavg=1/2 T1 lDU is valid for the proof test interval considered.

PFDavg for a particular safety function is the sum of the probabilities of the average failure on demand of each element of the system, taking into account the proof test interval of each element.

Page 16: Eagle Quantum Premier Safety Manual

7.1 95-859914

Table 1 provides the low demand EQP SIL 2 Safety Function model and recommendations for complex modeling (see Note 3).

PFDavg for each element is calculated according to the equation above, where lDU is the undetected dangerous failure rate per 109 hours and T1 is the proof test interval. (In this example, T1 is chosen as 1 year (8760 hours) for all components of the safety function).

The value of PFDavg for the system is the sum of PFDavg for the individual elements.

Notethe eQP system is an energize to trip system. the power supply to the output device should be monitored and annunciated when lost. this is counted as a Dangerous Detected (DD) fault. If the power supply is not monitored, it must be counted as a Dangerous Undetected (DU) fault.

Example 1 (figure 3A)

Fire input from an X3301 and output to an EDIO.

PfDavg=0.58x10-3 + (0.38 x 10-3 + 0.1 x 10-3) +0.1 x 10-3+valve&supply=1.16x10-3 + valve & supply

Example 2 (figure 3B)

Gas alarm from a PIRECL and output to an EDIO.

PfDavg=0.58x10-3 + (0.38 x 10-3 + 0.1 x 10-3) +0.1 x 10-3+valve&supply=1.16x10-3 + valve & supply

Example 3 (figure 3C)

Input from an EDIO and output to the same EDIO.

PfDavg=0.003x10-3 + (0.38 x 10-3 + 0.1 x 10-3) +0.1 x 10-3+valve&supply=0.58x10-3 + valve & supply

Using the table given in the standard, this value would be suitable for a low demand SIL 2 safety function. Other conditions (hardware fault tolerance and safe failure fraction) also allow its use in a SIL 2 application.

See IEC 61508-6 for a more comprehensive guide to the calculation of PFDavg.

Safety function INPUT

Safety function OUTPUT Sff Total failure

RateDU

(failure to Trip)SU

(false Trip)DD

(Detected fault)

X3301 FIRE INPUT EDIO OUTPUT (OPEN MONITORING) 96.6% 7,070 FIT 242 FIT 226 FIT 2,980 FIT

EDIO FIRE INPUT (OPEN & SHORT MONITORING)

EDIO OUTPUT (OPEN MONITORING) 96.9% 3,580 FIT 110 FIT 130 FIT 2,020 FIT

PIRECL GAS INPUT EDIO OUTPUT (OPEN MONITORING) 96.2% 6,420 FIT 242 FIT 316 FIT 3,920 FIT

EDIO GAS INPUT (OPEN & SHORT MONITORING)

EDIO OUTPUT (OPEN MONITORING) 96.9% 3,580 FIT 110 FIT 130 FIT 2,020 FIT

NOTE 1: The table includes consideration to a 246 node system with 6 Network Extenders, 14 Physical Layer Repeaters, maximum cable distance, and a 1-year Proof Test Interval (NFPA 72 requirement) with usage of less than 65% of the SIL 2 budget.

NOTE 2: One EDIO provides both the input channel and the output channel.

NOTE 3: For complex modeling of the EQP System, reference the exida® tool at www.exida.com.

Table 1—EQP SIL 2 Safety Function Model - Example

Page 17: Eagle Quantum Premier Safety Manual

7.1 95-859915

Figure 3A—X3301 Input in a Typical Low Demand Application

PIRECL

ECLIPSE GAS

DETECTOR

Simplex EQ3xxx

EQP SAFETY

CONTROLLER*

EQ3730EDIO

EQP SAFETY

EDIO**

VALVE

λDU = 132T1 = 1 YEAR

PFDavg = 0.58 x 10-3

λDU = 87.5 + 22.8T1 = 1 YEAR

PFDavg = (0.38 x 10-3

+ 0.1 x 10-3)

λDU = 21.8T1 = 1 YEAR

PFDavg = 0.1 x 10-3

λDU Valve***and

Power Supply

λDU IS FAILURE RATE PER 109 HOURS, TP OF 1 YEAR = 8760 HOURS, PFDavg IS THE PROBABILITY OF FAILURE ON DEMAND.

PFDavg = Σ (1/2 • T1 • λDU)*Includes Worst Case Safety Communication (λDU = 22.8, PFDavg = 0.1 x 10-3)**Single Output Configuration, Monitored for Opens***See note in Calculating PFD for Low Demand Applications

Figure 3B—PIRECL Input in a Typical Low Demand Application

EQ3730EDIO

EQP SAFETY

EDIO*

SWITCH

Simplex EQ3xxx

EQP SAFETY

CONTROLLER**

EQ3730EDIO

EQP SAFETY

EDIO***

VALVE

λDU = 0.68T1 = 1 YEAR

PFDavg = 0.003 x 10-3λDU Switch

λDU = 87.5 + 22.8T1 = 1 YEAR

PFDavg = (0.38 x 10-3

+ 0.1 x 10-3)

λDU = 21.8T1 = 1 YEAR

PFDavg = 0.1 x 10-3

λDU Valve****and

Power Supply

λDU IS FAILURE RATE PER 109 HOURS, TP OF 1 YEAR = 8760 HOURS, PFDavg IS THE PROBABILITY OF FAILURE ON DEMAND.

PFDavg = Σ (1/2 • T1 • λDU)

* Single Input Configuration with Open & Short Monitoring. λDU for Components Common to both Inputs and Outputs Contained in EDIO and Output Calculation** Includes Worst Case Safety Communication (λDU = 22.8, PFDavg = 0.1 x 10-3)***Single Output Configuration, Monitored for Opens****See note in Calculating PFD for Low Demand Applications

Figure 3C—EDIO Input in a Typical Low Demand Application

X3301

IR FLAME

DETECTOR

Simplex EQ3xxx

EQP SAFETY

CONTROLLER*

EQ3730EDIO

EQP SAFETY

EDIO**

VALVE

λDU = 133T1 = 1 YEAR

PFDavg = 0.58 x 10-3

λDU = 87.5 + 22.8T1 = 1 YEAR

PFDavg = (0.38 x 10-3

+ 0.1 x 10-3)

λDU = 21.8T1 = 1 YEAR

PFDavg = 0.1 x 10-3

λDU Valve***and

Power Supply

λDU IS FAILURE RATE PER 109 HOURS, TP OF 1 YEAR = 8760 HOURS, PFDavg IS THE PROBABILITY OF FAILURE ON DEMAND.

PFDavg = Σ (1/2 • T1 • λDU)*Includes Worst Case Safety Communication (λDU = 22.8, PFDavg = 0.1 x 10-3) **Single Output Configuration, Monitored for Opens***See note in Calculating PFD for Low Demand Applications

Page 18: Eagle Quantum Premier Safety Manual

7.1 95-859916

System Response Time

The EQP Safety System will have a typical response time of less than 1 second, to which must be added the response time of the final elements to give the total response time.

The worst case theoretical response time of the EQP Safety System, the time taken from an input transition being detected to an output being asserted, is estimated by the following:

• Detection at field device to the Controller overEQPSL network– Small system <100 field devices < 3.2 seconds

(user logic constrained to 0.5 seconds)

– Large system >100 field devices < 9.1 seconds (user logic constrained to 1.5 seconds).

• Worst case response times assume user logicexecution time is constrained to– Small system < 0.5 seconds

– Large system < 1.5 seconds.

• WorstcaseControllertoEDIOoutput<6.3seconds.

• Worst case response times assumea high level oflost messages due to internal or external influences, and three subsequent retries.

NOTEthe worst case theoretical response time, as required by IeC 61508, will only occur once per 1,000,000 trips. It must occur during the worst case degraded communication condit ions possible without generating a communication fault.

Notethe process safety time must be compared with the response time of the entire safety function. In addition to the response time of the eQP Safety System, the response time of the input sensors and output actuators must be included.

Product Repair

The EQP Controller and Field Devices are not field-repairable and any internal device repairs must be conducted at the factory. No firmware changes are permitted or authorized. All failures indicated by internal diagnostics or Proof Tests that cannot be resolved through the troubleshooting and maintenance procedures described in the manual must be reported to the manufacturer. Refer to the DEVICE REPAIR AND RETURN section of the EQP system instruction manual, number 95-8533.

Spare Parts

Refer to the REPLACEMENT PARTS section of the instruction manual. Safety certification is based on a sufficientnumberofspares toachievea24hourmeantime to repair.

Applicable Standards

•IEC 61508:2000. “Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related Systems”.

•IEC 61511:2003. “Functional Safety - SafetyInstrumented Systems for the Process Sector”.

Product Certifications

®

FM, CSA, ATEX, IECEx, CE, exida, and others.

FMEDA Report available.

For complete information regarding performance, installation, operation, maintenance and specifications of the Eagle Quantum Premier system, refer to instruction manual 95-8533.

Page 19: Eagle Quantum Premier Safety Manual

7.1 95-859917

APPENDIX A

SUMMARY OF SAFETY RELATED DATA

CERTIfICATION AND fAILURE RATE DATA

All Safety-Certified EQP devices are certified compliant to:

IEC 61508: 2000 Parts 1-7

RandomIntegrity:TypeBElement

Systematic Integrity: SIL 2 Capable

HFT:0

Low Demand Mode

PFDavg should be calculated for any safety instrumented function using the EQP System.(Refer to tables and / or FMEDA report for necessary information, including DU rate).

Safety Accuracy: Specified per device

Safety Response Time: See ‘System Response Time’ section

Page 20: Eagle Quantum Premier Safety Manual

7.1 95-859918

Certified for use up to SIL 2 Configuration 1oo1D

Architecture Type B Hardware Fault Tolerance 0

Safe Failure Fraction > 90%

Failure Rate Data

Part Model lDU (dangerous undetected failure rate per 109 hours) Sff %

EQP Safety Controller EQ3xxx 87.5 96.7

EDIO Safety Module - Configured as Input*

EQ3730EDIOCommon = 20.9

Input Monitored for Opens = 6.6Input Monitored for Opens & Shorts = 0.68

97.193.099.0

EDIO Safety Module - Configured as Output*

EQ3730EDIOCommon = 20.9

Output Monitored for Opens, Opens & Shorts = 0.9297.198.9

AIM Safety Module EQ3710AIMCommon = 12

Per Input Channel = 5.1698.193.0

X3301 IR Flame Detector X3301 133 96.3

Eclipse IR Gas Detector Model PIRECL 132 95.5

EQP Safety Communications 22.8 N/A

* “Common” are components common to both inputs and outputs. For lDU calculation:

Example 1: Input and output on same EDIO

lDU = Common + Input + Output

lDU = 20.9 + 0.68 + 0.92 = 22.5

Example 2: Input and output on different EDIOs

lDU = lDU EDIO #1 +lDU EDIO #2 = (Common + Input) + (Common + Output) = (20.9 + 0.68) + (20.9 + 0.92) = 43.4

Product Life EQ3xxx (Controller): 10-25 years, based on manufacturer data.

Product Life EQ3730EDIO: 6-29 years, based on manufacturer data.

Product Life EQ3710AIM: 6-29 years, based on manufacturer data.

Product Life X3301: 12-27 years, based on manufacturer data.

ProductLifePIRECL:5-40years,basedonmanufacturerdata.

All failure rate data for SIL verification is in the FMEDA report, which is available upon request.

IEC 61508 failure Rates

Page 21: Eagle Quantum Premier Safety Manual

7.1 95-859919

TERMS AND DEfINITIONS

DD Dangerous Detected

DU Dangerous Undetected

EQP Eagle Quantum Premier System

EQPSL/SLC Eagle Quantum Premier Safety Loop / Signaling Line Circuit

FMEDA Failure Mode Effects and Diagnostics Analysis

HART HighwayAddressableRemoteTransducer

HFT HardwareFaultTolerance

PFD Probability of Failure on Demand (Probability of Dangerous Failure)

PFDavg Average Probability of Failure on Demand

SD Safe Detected

SFF Safe Failure Fraction

SIF Safety Instrumented Function

SIL Safety Integrity Level

SIS Safety Instrumented System

SU Safe Undetected

Page 22: Eagle Quantum Premier Safety Manual

7.1 95-8599

Gate Name Description SIL

ABS Absolute Value. The values can be integer, double or float. The result will be of the same type as the input value; e.g. –23 = 23

Yes for all but floating-point values

ACCALM Access Alarm. This function is used to provide an interface to the Controller’s alarm list. This can be used to read alarm information from the Controller’s alarm list.

No

ADD Addition. The values can be Boolean, integer, double or float. All items must be of the same type. ADD reads all the values, performs an ADD function and writes the result.

Yes for all but floating-point values

ALMTGR Add an Alarm to the Alarm List. This function is used to add an alarm to the Controller’s alarm list. This can be used to trigger and log and display alarms that are initiated by user logic.

No

AND AND. AND reads all the values, performs a bitwise AND function and writes the result.

Yes

ANDW AND Word. The values can be integer or double. All values must be of the same type and the result will be of the same type. All of the bits of the word are operated on.

Yes

AVG Average. The input values can be integer, double or float. All values must be of the same type and the result will be of the same type. Average is the value obtained by dividing the sum of the value by the number of values. (8.0 + 7.0 + 8.0) / 3 = 7.6.

Yes for all but floating-point values

BINT Boolean to Integer. The input is a Boolean. If the input is False the output will be a zero and if the input is True the output will be a one.

Yes

BTW Between. The input values can be integer, double or float. All items must be of the same type. There are three input items. Two are the comparison values and the third is the compare item. If the compare item is equal to or between the comparison values, a Boolean True is output, if not a Boolean False is output; e.g. if the <= input is 100 and the IN input is 50 and the >= input is 0 then the output would be True.

Yes for all but floating-point values

Appendix B

eQp COnTROLLeR LOGiC GATe TABLeUSeR-dOCUMenTATiOn

The “SIL” column indicates if the gate is suitable for use with alarm processing with a 61508 approved system. Gates that utilize stored values which are not duplicated, or that depend on the floating-point or string libraries are not safety rated. For detailed information about a gate, refer to the help file for that gate in the S³ EQP logic window.

20

Page 23: Eagle Quantum Premier Safety Manual

7.1 95-8599

BTWT Between Time Compare. There are three input time/date items. Two are the comparison values and the third is the compare item. If the compare item is equal to or between the comparison values, a Boolean True is output, if not a Boolean False is output; e.g. if the <= input is 15:00:00 and the IN input is 12:00:00 and the >= input is 06:00:00 then the output would be True.

No

CEIL Ceiling. This function performs a round up. The input is a float. The result will be a double; e.g. –2.8 = -2, 2.8 = 3, -1 = -1

No

CTD Down Counter. There are three inputs. They are “count down (CD)” a Boolean, the “Load (LD)” a Boolean, and the “Preset Value (PV)” a double. When the LD input is False, the counter counts down. One count for each CD transition from False to True. The output is True if the current value is less than or equal to zero. The counter stops counting when the current value reaches -2,147,483,648. When the LD is True, the PV is loaded into the current value to initialize the counter.

No

CTD-SIL SIL Down Counter. The SIL Down Counter operates the same as the standard CTD, but provides additional error checking in the Controller against random memory error.

Yes

CTU Up Counter. There are three inputs. The “count up (CU)” a Boolean, the “Reset (R)” a Boolean, and the “Preset Value (PV)” a double. When the R input is False, the counter counts up. One count for each CU transition from False to True. The output is True if the current value is greater than or equal to the PV. The counter stops counting when the current value reaches 2,147,483,647. When R is True the current value is set to 0.

No

CTU-SIL SIL Up Counter. The SIL Up Counter operates the same as the standard CTU, but has additional error checking in the Controller against random memory error.

Yes

CTUD Up/Down Counter. This has five inputs. The “count up (CU)” a Boolean, the “count Down (CD)” a Boolean, the “Reset (R)” a Boolean, the “Load (LD)” a Boolean and the “Preset Value(PV)” a double. When the LD and R inputs both are False, the counter counts. One count up for each CU transition from False to True. One count down for each CD transition from False to True. If both CU & CD transition, the counter will count up. If the current value is greater than or equal to the PV, QU output is True. If the current value is less than or equal to zero, QD output is True. The counter stops counting when the current value reaches 2,147,483,647 or -2,147,483,648. When the R is True the current value is set to zero. When the LD is True the PV is loaded into the current value to initialize the counter.

No

21

Page 24: Eagle Quantum Premier Safety Manual

7.1 95-8599

CTUD-SIL SIL Up/Down Counter. The SIL Up Counter operates the same as the standard CTU, but has additional error checking in the Controller against random memory error.

Yes

DBLFLT Double to Float. The input double is converted to a float. No

DBLINT Double to Integer. The input double is converted to an integer. Yes

DBLSTR Double to String. When the enable input is True, the 32-bit double input value is converted to a string.

No

DIV Divide. The input values can be integer, double or float. The inputs must be of the same type. The output will be of the same type as the inputs.

Yes for all but floating-point values

ET Equal To. The input values can be integer, double or float. The inputs must be of the same type. The output is a Boolean. NOTE: When floats are used in a comparison for Equal (=), the comparison will be true if the values are within 0.01 of each other.

Yes for all but floating-point values

EVTTGR Add an Event to the Controller Alarm List. This function is used to add an event to the Controller’s alarm list. This can be used to trigger, log and display events that are initiated by user logic.

No

FLR Floor. This function performs a round down. The input value is a float. The result will be a double; e.g. –2.8 = -3, 2.8 = 2, -1 = -1

No

FLTSTR Float to String. When the enable input is True, the floating-point input value is converted to a string. The precision input determines the number of digits to the right of the decimal point. (0 - 6)

No

FRAC Fraction. The output will be the fractional part of the input. The input value is a float. The result will be a float; e.g. 123.456 = 0.456.

No

GT Greater Than. The input values can be integer, double or float and must be the same type. The output is a Boolean. (X > Y)

Yes for all but floating-point values

GE Greater Than or Equal To. The Input values can be integer, double or float and must be the same type. The result is a Boolean. (X >= Y).

Yes for all but floating-point values

IF IF. The values at the input connection “True” can be Boolean, integer, double, string or float. If the Selector input is True, the value at the “True” connection is passed to the output. If the Selector Input is False the output will be set to the value determined at last scan when the Selector was True. The IF function is a way to preserve a value after the Boolean input goes False.

No

INPUT Input. The Input can be any value. The input function is used to select an input that will be directed to logic.

Yes for all but floating-point and string values

22

Page 25: Eagle Quantum Premier Safety Manual

7.1 95-8599

INTBOL Integer to Boolean. If the input is equal to zero, the output will be False. If the input is not equal to zero, the output will be True.

Yes

INTDBL Integer to Double. The input integer is converted to a double. Yes

INTFLT Integer to Float. The Input integer is converted to a float. The result will be a float.

No

INTSTR Integer to String. When the enable input is True, the 16-bit integer input value is converted to a string.

No

LMT Limit. The values can be integer, double or float. All inputs must be of the same type. The output will be of the same type as the inputs. The input is compared against the high limit. If the input is greater than the high limit, the output will be the high limit value. If the input is less than the high limit, the input is compared against the low limit. If the input is less than the low limit, the output is the low limit value. Otherwise the output is the value of the input.

Yes for all but floating-point values

LT Less Than. The values can be integer, double or float. The result is a Boolean.

Yes for all but floating-point values

LE Less Than or Equal To. The values can be integer, double or float. The result is a Boolean.

Yes for all but floating-point values

MAX Maximum Select. The values can be integer, double or float. The input with the highest value will be passed to the output. The result will be of the same type as the inputs.

Yes for all but floating-point values

MEDIAN Median. The input values can be integer, double or float. All values must be of the same type and the result will be of the same type. Median is the value midway between the values. Definition: a) designating the middle number in a series containing an odd number of items; e.g. 7 in the series 1, 4, 7, 16, 43; b) designating the middle number midway between the two middle numbers in a series containing an even number of items; e.g. 10 in the series 3, 4, 8, 12, 46, 72.

Yes for all but floating-point values

MIN Minimum select. The input values can be integer, double or float. All inputs must be of the same type. The input with the lowest value will be passed to the output. The result will be of the same type as the inputs.

Yes for all but floating-point values

MOD Modulo. The input values can be integer or double. The result is the same type as the inputs. The mod operator returns the remainder obtained by dividing its operands. In other words: 9 mod 4 is 1.

Yes

MBREAD MODBUS Read. This function block performs an asynchronous MODBUS read operation.

No

MBWRT MODBUS Write. This function block performs an asynchronous MODBUS write operation.

No

23

Page 26: Eagle Quantum Premier Safety Manual

7.1 95-8599

MOFN M of N. All of the Boolean inputs are examined for a True condition. The result is compared against the Preset (PR). The output “>” is True if the count is greater than the PR. The output “=” is True if the count is equal to the PR. The output “<” is True if the count is less than the PR.

Yes

MOSP Multiple One Shot Pulse. The inputs are Boolean. The output is a Boolean. Each input has a one-shot pulse function. The output is the “OR” of all of the inputs after the result of each one-shot pulse function.

No

MUL Multiply. The input values can be integer, double or float. The inputs must be of the same type. The result type is the same as the inputs.

Yes for all but floating-point values

MUX Multiplex. The input values can be Boolean, integer, double, string or float. All input values must be the same type. The output is the item indexed by the selector input. The output will be the same type as the inputs.

Yes for all but floating-point and string values

NBITS Number of Bits. The output will be the sum of all the binary inputs. Yes

NE Not Equal To. The values can be integer, double or float. The result is a Boolean.

Yes for all but floating-point values

NOT NOT. The input values can be Boolean, integer or double. The output is the bitwise NOT of the input.

Yes

ODD ODD. The input values can be integer or double. The function determines if the input value is odd. The result is a Boolean.

Yes

OR OR. OR reads all the Boolean values, performs a bitwise OR function and writes the result. The result is a Boolean.

Yes

ORW OR WORD. The input values can be integer or double. All values must be of the same type and the result will be of the same type. This function performs a logical OR of the inputs.

Yes

OSP One shot pulse. The input is a Boolean. The output is a Boolean. When the input goes True, the output goes True for one program scan. The output will be False the next time the function block is executed, regardless of the input.

No

OSP-SIL One shot pulse SIL. The input is a Boolean. The output is a Boolean. When the input goes True, the output goes True for one program scan. The output will be False the next time the function block is executed, regardless of the input.

Yes

OUTPUT Output. The output can be any value. The output function is used to select an output that will be directed from logic.

Yes for all but floating-point and string values

PACK16 Bit Packing. This function performs a bitwise packing of the Boolean inputs into an integer.

Yes

24

Page 27: Eagle Quantum Premier Safety Manual

7.1 95-8599

PKDT Pack Date/Time. This function performs packing of 6 integers into a Time/Date data type.

No

PULSER Pulser. This function block creates periodic pulse of defined ON and OFF time-values. The ON and OFF time-values may be different.

RND Round. Half way values are rounded to the nearest even number (Bankers rounding). The input value is a float. The result will be a double; e.g. 5.5 rounds to 6, 6.5 rounds to 6, -5.5 rounds to -6, -6.5 rounds to -6.

No

RS Reset/Set. If Reset input is set to True, then the output is False. If Set input is set to True and Reset input is False, then the output is True. If both are False, then there is no change in the output. This gate is Reset dominant bistable. If the Reset input is True, then the output is False, regardless of the Set input.

No

RS-SIL SIL Reset/Set gate. The SIL Reset/Set gate operates the same as the standard RS, but provides duplicate storage for the persistent value.

Yes

RTM Retentive Timer. This function block performs a Retentive On Timer function. It provides a delay of time PT from the rising edge of input IN.

No

RTM-SIL SIL Retentive Timer. The SIL Retentive Timer operates the same as the standard Retentive Timer, but provides duplicate storage for the persistent values.

Yes

SCALE Scale. The input values can be integer, double or float. All the values must be of the same type. The output will be of the same type. The first value is the input. The second value is the low range for the input. The third value is the high range for the input. The fourth value is the low range for the output and the fifth value is the high range for the output.

No

SEL Selector. The True and False input values can be Boolean, integer, double, string or float. They must be of the same type and the output will be of this type. The selector input value is a Boolean. If the selector is False, then the value at the False connection is passed to the output. If the selector is True, then the value at the True connection is passed to the output.

Yes for all but floating-point and string values

SQR Square. The input value is a float. The result will be a float. No

SQRT Square Root. The input value is a float. The result will be a float. No

SR Set/Reset. This function block performs a Set-Reset function. If the Set input is set to True, then the output is True. If the Reset input is set to True and Set input is False, then the output is False. This gate is the Set dominant bistable. If the Set input is True, then the output is True, regardless of the Reset input.

No

SR-SIL SIL Set/Reset. The SIL Set/Reset gate operates the same as the standard Set/Reset gate, but provides duplicate storage for the persistent value.

Yes

25

Page 28: Eagle Quantum Premier Safety Manual

7.1 95-8599

STRAPD String Append. When the enable input is True, source string 2 is appended to the end of source string 1 and placed in the destination string.

No

STRCPY String copy. When the enable input is True, the source string is copied to the destination string.

No

STNCPY String “n” copy. This function is used to extract parts from a string. When the enable is True, not more then ‘Count’ characters starting with character ‘Index’ are copied to the destination string.

No

STREQ String Equal. When the enable input is True, source string (S1) is compared to source string (S2).

No

SUB Subtract. The input values can be integer, double or float. The output will be the same type as the input.

Yes for all but floating-point

TDSTR Time and Date to String. When the enable input is True, the time/date value is converted to a string. The input value can come from any valid time/date source. The output format is selectable.

No

TOF Off Timer. TOF provides a delay of time from the falling edge of the input.

No

TOF-SIL The SIL version of the Off Timer is the same as the normal TOF function, with the addition of duplicate storage for elapsed time variable.

Yes

TON On Timer. TON provides a delay of time from the rising edge of the input

No

TON-SIL The SIL version of the On Timer is the same as the normal TON function, with the addition of duplicate storage for elapsed time variable.

Yes

TRUNC Truncate. The Input value is a float. The result will be a double; e.g. 123.456 = 123

No

UNPK16 Unpack. The input value Is an integer. This function performs a bitwise unpacking of the input into Booleans.

Yes

UPKDT Unpack Date/Time. This function performs an unpacking of a Date/Time to 6 integers.

No

XOR Exclusive OR. The input values are Booleans. The output is True when the number of True inputs is odd.

Yes

XORW XOR WORD. The input values can be integer or double. All values must be of the same type, and the result will be of the same type. This function performs a logical XOR of the inputs.

Yes

26

Page 29: Eagle Quantum Premier Safety Manual

X3301 MultispectrumIR Flame Detector

FlexSonicTM Acoustic Leak Detector

PointWatch Eclipse® IR Combustible Gas Detector

FlexVu® Universal Display with GT3000 Toxic Gas Detector

Eagle Quantum Premier®

Safety System

Corporate Office6901 West 110th StreetMinneapolis, MN 55438 USAwww.det-tronics.com

All trademarks are the property of their respective owners. © 2015 Detector Electronics Corporation. All rights reserved.

Det-Tronics manufacturing system is certified to ISO 9001— the world’s most recognized quality management standard.

Phone: 952.946.6491 Toll-free: 800.765.3473Fax: [email protected]

95-8599